Hi please find the Attachments of the Logs I created and help me to get rid
of that virus
On Sat, Dec 3, 2011 at 5:13 PM, kura narin <[email protected]> wrote:
> yeah thank you for your response as soon as i get the logs i will send
> them to all and I am also trying for a solution
> I have observed that he is changing code of HTML pages and leaving the
> Title as the Search command which we enter changing the Redirect location
> in the Frame set tags of HTML pages
>
>
> On Sat, Dec 3, 2011 at 4:39 PM, Jonathan Lieberman <[email protected]>wrote:
>
>> just randomly found this thread through a google search.... I just got
>> the same bit of nasty malware. new computer, hadn't loaded any virus
>> protection and malware protection till a few days after I bought it...
>> looks like it's something new that's going around because I've seen a
>> few other new posts about it. Will update if I find something to
>> remove it.
>>
>> On Dec 2, 9:35 pm, Srinivas Naik <[email protected]> wrote:
>> > Hi Narin,
>> >
>> > Follow below instructions
>> > 1. Copy and Paste below 3 lines in file "*malcop.cmd*"
>> >
>> > echo Collecting Startup and Process list...
>> > wmic startup get caption,command,location /format:list > startup_log.txt
>> > wmic process get
>> >
>> Name,Description,CommandLine,ProcessId,ParentProcessId,ExecutablePath,ThreadCount,Handle,HandleCount
>> > /format:list > process_log.txt
>> > echo Files Startup_log.txt and Process_log.txt Created......
>> >
>> > 2. Attach the files generated startup_log.txt and process_log.txt to
>> this
>> > thread
>> >
>> > Lets analyze the malware and sort out the issue.
>> >
>> > Dont Worry ..... Trust MalCop :)
>> >
>> > Cheers,
>> > 0xN41K
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Fri, Dec 2, 2011 at 6:15 PM, narin <[email protected]> wrote:
>> > > Hi All
>> > > I have a big problem with my office computer
>> > > my all browsers got effected with some virus i think so
>> > > when ever I am trying to Open any website in search engine
>> > > i am getting connected to the kozanekozasearchsystem.com website and
>> > > getting redirected to the
>> > > random website or random blogs,
>> > > When i Used firebug just whats happening i observed that virus
>> > > introducing some code
>> > > with title as our typed text and
>> > > in the Frameset Redirecting to the that website
>> > > and to go to the desired website of mine i need to click enter on the
>> > > Address bar again.
>> > > Please help me
>> >
>> > > Thank you
>> > > Narin
>> >
>> > > --
>> > > You received this message because you are subscribed to the Google
>> Groups
>> > > "nforceit" group.
>> > > To post to this group, send an email to [email protected].
>> > > To unsubscribe from this group, send email to
>> > > [email protected].
>> > > For more options, visit this group at
>> > >http://groups.google.com/group/nforceit?hl=en-GB.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "nforceit" group.
>> To post to this group, send an email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected].
>> For more options, visit this group at
>> http://groups.google.com/group/nforceit?hl=en-GB.
>>
>>
>
>
> --
> Thanks and Regards,
>
> K.N.NARIN.
>
> Oracle Certified Professional,Java SE 6 programmer(SCJP 6)
>
> Ankit Fadia Certified Ethical Hacker(AFCEH 5.0)
>
> http://lifetechnology-narin.blogspot.com/
>
>
>
>
--
Thanks and Regards,
K.N.NARIN.
Oracle Certified Professional,Java SE 6 programmer(SCJP 6)
Ankit Fadia Certified Ethical Hacker(AFCEH 5.0)
http://lifetechnology-narin.blogspot.com/
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
CommandLine=
Description=System Idle Process
ExecutablePath=
Handle=0
HandleCount=0
Name=System Idle Process
ParentProcessId=0
ProcessId=0
ThreadCount=4
CommandLine=
Description=System
ExecutablePath=
Handle=4
HandleCount=553
Name=System
ParentProcessId=0
ProcessId=4
ThreadCount=122
CommandLine=
Description=smss.exe
ExecutablePath=
Handle=300
HandleCount=32
Name=smss.exe
ParentProcessId=4
ProcessId=300
ThreadCount=2
CommandLine=
Description=csrss.exe
ExecutablePath=
Handle=444
HandleCount=806
Name=csrss.exe
ParentProcessId=436
ProcessId=444
ThreadCount=13
CommandLine=
Description=wininit.exe
ExecutablePath=
Handle=512
HandleCount=115
Name=wininit.exe
ParentProcessId=436
ProcessId=512
ThreadCount=4
CommandLine=
Description=csrss.exe
ExecutablePath=
Handle=536
HandleCount=686
Name=csrss.exe
ParentProcessId=524
ProcessId=536
ThreadCount=15
CommandLine=
Description=services.exe
ExecutablePath=
Handle=600
HandleCount=283
Name=services.exe
ParentProcessId=512
ProcessId=600
ThreadCount=9
CommandLine=
Description=lsass.exe
ExecutablePath=
Handle=620
HandleCount=895
Name=lsass.exe
ParentProcessId=512
ProcessId=620
ThreadCount=9
CommandLine=
Description=lsm.exe
ExecutablePath=
Handle=628
HandleCount=160
Name=lsm.exe
ParentProcessId=512
ProcessId=628
ThreadCount=10
CommandLine=
Description=winlogon.exe
ExecutablePath=
Handle=736
HandleCount=138
Name=winlogon.exe
ParentProcessId=524
ProcessId=736
ThreadCount=6
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=784
HandleCount=397
Name=svchost.exe
ParentProcessId=600
ProcessId=784
ThreadCount=12
CommandLine=
Description=nvvsvc.exe
ExecutablePath=
Handle=848
HandleCount=74
Name=nvvsvc.exe
ParentProcessId=600
ProcessId=848
ThreadCount=5
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=888
HandleCount=416
Name=svchost.exe
ParentProcessId=600
ProcessId=888
ThreadCount=10
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=428
HandleCount=432
Name=svchost.exe
ParentProcessId=600
ProcessId=428
ThreadCount=17
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=664
HandleCount=501
Name=svchost.exe
ParentProcessId=600
ProcessId=664
ThreadCount=16
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=540
HandleCount=1201
Name=svchost.exe
ParentProcessId=600
ProcessId=540
ThreadCount=36
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=1116
HandleCount=306
Name=svchost.exe
ParentProcessId=600
ProcessId=1116
ThreadCount=15
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=1240
HandleCount=663
Name=svchost.exe
ParentProcessId=600
ProcessId=1240
ThreadCount=27
CommandLine=
Description=nvvsvc.exe
ExecutablePath=
Handle=1380
HandleCount=109
Name=nvvsvc.exe
ParentProcessId=848
ProcessId=1380
ThreadCount=5
CommandLine=
Description=spoolsv.exe
ExecutablePath=
Handle=1548
HandleCount=318
Name=spoolsv.exe
ParentProcessId=600
ProcessId=1548
ThreadCount=13
CommandLine=
Description=armsvc.exe
ExecutablePath=
Handle=1684
HandleCount=76
Name=armsvc.exe
ParentProcessId=600
ProcessId=1684
ThreadCount=4
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=1728
HandleCount=141
Name=svchost.exe
ParentProcessId=600
ProcessId=1728
ThreadCount=8
CommandLine=
Description=LMIGuardianSvc.exe
ExecutablePath=
Handle=1768
HandleCount=130
Name=LMIGuardianSvc.exe
ParentProcessId=600
ProcessId=1768
ThreadCount=9
CommandLine=
Description=ramaint.exe
ExecutablePath=
Handle=1804
HandleCount=104
Name=ramaint.exe
ParentProcessId=600
ProcessId=1804
ThreadCount=3
CommandLine=
Description=LogMeIn.exe
ExecutablePath=
Handle=1824
HandleCount=594
Name=LogMeIn.exe
ParentProcessId=600
ProcessId=1824
ThreadCount=22
CommandLine=
Description=NOBuAgent.exe
ExecutablePath=
Handle=1924
HandleCount=67
Name=NOBuAgent.exe
ParentProcessId=600
ProcessId=1924
ThreadCount=4
CommandLine=
Description=SftService.exe
ExecutablePath=
Handle=1964
HandleCount=122
Name=SftService.exe
ParentProcessId=600
ProcessId=1964
ThreadCount=4
CommandLine=
Description=WLIDSVC.EXE
ExecutablePath=
Handle=2012
HandleCount=362
Name=WLIDSVC.EXE
ParentProcessId=600
ProcessId=2012
ThreadCount=11
CommandLine=
Description=LoadAgent.exe
ExecutablePath=
Handle=1152
HandleCount=150
Name=LoadAgent.exe
ParentProcessId=600
ProcessId=1152
ThreadCount=10
CommandLine=
Description=WLIDSVCM.EXE
ExecutablePath=
Handle=1332
HandleCount=61
Name=WLIDSVCM.EXE
ParentProcessId=2012
ProcessId=1332
ThreadCount=4
CommandLine=
Description=WUDFHost.exe
ExecutablePath=
Handle=2420
HandleCount=290
Name=WUDFHost.exe
ParentProcessId=664
ProcessId=2420
ThreadCount=8
CommandLine="taskhost.exe"
Description=taskhost.exe
ExecutablePath=C:\Windows\system32\taskhost.exe
Handle=2656
HandleCount=195
Name=taskhost.exe
ParentProcessId=600
ProcessId=2656
ThreadCount=9
CommandLine="C:\Windows\system32\Dwm.exe"
Description=dwm.exe
ExecutablePath=C:\Windows\system32\Dwm.exe
Handle=2760
HandleCount=145
Name=dwm.exe
ParentProcessId=664
ProcessId=2760
ThreadCount=5
CommandLine=C:\Windows\Explorer.EXE
Description=explorer.exe
ExecutablePath=C:\Windows\Explorer.EXE
Handle=2824
HandleCount=1059
Name=explorer.exe
ParentProcessId=2748
ProcessId=2824
ThreadCount=31
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=2080
HandleCount=211
Name=svchost.exe
ParentProcessId=600
ProcessId=2080
ThreadCount=16
CommandLine=
Description=STService.exe
ExecutablePath=
Handle=2224
HandleCount=130
Name=STService.exe
ParentProcessId=2076
ProcessId=2224
ThreadCount=2
CommandLine=
Description=Toaster.exe
ExecutablePath=
Handle=2928
HandleCount=321
Name=Toaster.exe
ParentProcessId=980
ProcessId=2928
ThreadCount=7
CommandLine="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
Description=RAVCpl64.exe
ExecutablePath=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
Handle=3056
HandleCount=245
Name=RAVCpl64.exe
ParentProcessId=2824
ProcessId=3056
ThreadCount=11
CommandLine="C:\Windows\System32\rundll32.exe"
C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
Description=rundll32.exe
ExecutablePath=C:\Windows\System32\rundll32.exe
Handle=3012
HandleCount=101
Name=rundll32.exe
ParentProcessId=2824
ProcessId=3012
ThreadCount=5
CommandLine="C:\Windows\System32\rundll32.exe"
C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64
Description=rundll32.exe
ExecutablePath=C:\Windows\System32\rundll32.exe
Handle=3004
HandleCount=104
Name=rundll32.exe
ParentProcessId=2824
ProcessId=3004
ThreadCount=5
CommandLine="C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
Description=LogMeInSystray.exe
ExecutablePath=C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
Handle=2212
HandleCount=154
Name=LogMeInSystray.exe
ParentProcessId=2824
ProcessId=2212
ThreadCount=5
CommandLine="C:\Program Files (x86)\Multimedia Card
Reader(9106)\ShwiconXP9106.exe"
Description=ShwiconXP9106.exe
ExecutablePath=C:\Program Files (x86)\Multimedia Card
Reader(9106)\ShwiconXP9106.exe
Handle=1032
HandleCount=127
Name=ShwiconXP9106.exe
ParentProcessId=2612
ProcessId=1032
ThreadCount=1
CommandLine="C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE" /tsr
Description=ONENOTEM.EXE
ExecutablePath=C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
Handle=1028
HandleCount=47
Name=ONENOTEM.EXE
ParentProcessId=2824
ProcessId=1028
ThreadCount=1
CommandLine="C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
Description=RoxioBurnLauncher.exe
ExecutablePath=C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
Handle=2788
HandleCount=155
Name=RoxioBurnLauncher.exe
ParentProcessId=2612
ProcessId=2788
ThreadCount=6
CommandLine="C:\Program Files (x86)\Dell Stage\Dell
Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell
Stage\AccuWeather\start.umj" --startup
Description=accuweather.exe
ExecutablePath=C:\Program Files (x86)\Dell Stage\Dell
Stage\AccuWeather\accuweather.exe
Handle=2832
HandleCount=536
Name=accuweather.exe
ParentProcessId=2612
ProcessId=2832
ThreadCount=18
CommandLine="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Description=jusched.exe
ExecutablePath=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Handle=1220
HandleCount=48
Name=jusched.exe
ParentProcessId=2612
ProcessId=1220
ThreadCount=1
CommandLine="C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
Description=Updater.exe
ExecutablePath=C:\Program Files (x86)\Ask.com\Updater\Updater.exe
Handle=2268
HandleCount=246
Name=Updater.exe
ParentProcessId=2612
ProcessId=2268
ThreadCount=6
CommandLine=
Description=WmiPrvSE.exe
ExecutablePath=
Handle=3172
HandleCount=231
Name=WmiPrvSE.exe
ParentProcessId=784
ProcessId=3172
ThreadCount=9
CommandLine=
Description=SearchIndexer.exe
ExecutablePath=
Handle=3456
HandleCount=1493
Name=SearchIndexer.exe
ParentProcessId=600
ProcessId=3456
ThreadCount=18
CommandLine=
Description=wmpnetwk.exe
ExecutablePath=
Handle=3816
HandleCount=280
Name=wmpnetwk.exe
ParentProcessId=600
ProcessId=3816
ThreadCount=14
CommandLine=
Description=WmiPrvSE.exe
ExecutablePath=
Handle=3936
HandleCount=215
Name=WmiPrvSE.exe
ParentProcessId=784
ProcessId=3936
ThreadCount=7
CommandLine="C:\Windows\system32\wuauclt.exe"
Description=wuauclt.exe
ExecutablePath=C:\Windows\system32\wuauclt.exe
Handle=3872
HandleCount=95
Name=wuauclt.exe
ParentProcessId=540
ProcessId=3872
ThreadCount=3
CommandLine=
Description=OSPPSVC.EXE
ExecutablePath=
Handle=120
HandleCount=146
Name=OSPPSVC.EXE
ParentProcessId=600
ProcessId=120
ThreadCount=3
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=4436
HandleCount=103
Name=svchost.exe
ParentProcessId=600
ProcessId=4436
ThreadCount=4
CommandLine="C:\Users\kuran.narin\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe"
/crashhandler
Description=GoogleCrashHandler.exe
ExecutablePath=C:\Users\kuran.narin\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
Handle=1584
HandleCount=102
Name=GoogleCrashHandler.exe
ParentProcessId=4012
ProcessId=1584
ThreadCount=5
CommandLine=
Description=ntoskrnla.exe
ExecutablePath=
Handle=3316
HandleCount=248
Name=ntoskrnla.exe
ParentProcessId=2168
ProcessId=3316
ThreadCount=5
CommandLine="C:\Program Files (x86)\Reuters\RMC\RunRM.exe"
Description=RunRM.exe
ExecutablePath=C:\Program Files (x86)\Reuters\RMC\RunRM.exe
Handle=4612
HandleCount=49
Name=RunRM.exe
ParentProcessId=2824
ProcessId=4612
ThreadCount=1
CommandLine="c:\program files (x86)\reuters\rmc\rmc.exe"
Description=RMC.exe
ExecutablePath=c:\program files (x86)\reuters\rmc\rmc.exe
Handle=4152
HandleCount=942
Name=RMC.exe
ParentProcessId=4612
ProcessId=4152
ThreadCount=28
CommandLine=
Description=taskhost.exe
ExecutablePath=
Handle=5100
HandleCount=137
Name=taskhost.exe
ParentProcessId=600
ProcessId=5100
ThreadCount=6
CommandLine=C:\Windows\splwow64.exe 1
Description=splwow64.exe
ExecutablePath=C:\Windows\splwow64.exe
Handle=1136
HandleCount=112
Name=splwow64.exe
ParentProcessId=3304
ProcessId=1136
ThreadCount=5
CommandLine="C:\SmartDraw 2010\SmartDraw.exe"
Description=SmartDraw.exe
ExecutablePath=C:\SmartDraw 2010\SmartDraw.exe
Handle=3552
HandleCount=403
Name=SmartDraw.exe
ParentProcessId=2824
ProcessId=3552
ThreadCount=8
CommandLine="C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
Description=OUTLOOK.EXE
ExecutablePath=C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
Handle=2244
HandleCount=3182
Name=OUTLOOK.EXE
ParentProcessId=2824
ProcessId=2244
ThreadCount=31
CommandLine="C:\Program Files (x86)\Skype\Phone\Skype.exe"
Description=Skype.exe
ExecutablePath=C:\Program Files (x86)\Skype\Phone\Skype.exe
Handle=3492
HandleCount=932
Name=Skype.exe
ParentProcessId=2824
ProcessId=3492
ThreadCount=58
CommandLine="C:\SmartDraw 2010\SmartDraw.exe" -x C:\narin work
folder\swimlaneAudit Trace.sdr
Description=SmartDraw.exe
ExecutablePath=C:\SmartDraw 2010\SmartDraw.exe
Handle=6468
HandleCount=368
Name=SmartDraw.exe
ParentProcessId=5304
ProcessId=6468
ThreadCount=10
CommandLine="C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n
"C:\narin work folder\Audit log\Audit Tracing Flow.docx"
Description=WINWORD.EXE
ExecutablePath=C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Handle=7056
HandleCount=757
Name=WINWORD.EXE
ParentProcessId=2824
ProcessId=7056
ThreadCount=15
CommandLine=
Description=svchost.exe
ExecutablePath=
Handle=6376
HandleCount=763
Name=svchost.exe
ParentProcessId=600
ProcessId=6376
ThreadCount=34
CommandLine=
Description=SearchProtocolHost.exe
ExecutablePath=
Handle=4428
HandleCount=282
Name=SearchProtocolHost.exe
ParentProcessId=3456
ProcessId=4428
ThreadCount=8
CommandLine=
Description=SearchFilterHost.exe
ExecutablePath=
Handle=6488
HandleCount=113
Name=SearchFilterHost.exe
ParentProcessId=3456
ProcessId=6488
ThreadCount=6
CommandLine="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Description=firefox.exe
ExecutablePath=C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Handle=3412
HandleCount=508
Name=firefox.exe
ParentProcessId=2824
ProcessId=3412
ThreadCount=35
CommandLine=
Description=WmiPrvSE.exe
ExecutablePath=
Handle=6016
HandleCount=131
Name=WmiPrvSE.exe
ParentProcessId=784
ProcessId=6016
ThreadCount=8
CommandLine=C:\Windows\system32\DllHost.exe
/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Description=dllhost.exe
ExecutablePath=C:\Windows\system32\DllHost.exe
Handle=5448
HandleCount=92
Name=dllhost.exe
ParentProcessId=784
ProcessId=5448
ThreadCount=6
CommandLine=cmd /c ""C:\Users\kuran.narin\Desktop\malcop1.cmd" "
Description=cmd.exe
ExecutablePath=C:\Windows\system32\cmd.exe
Handle=5700
HandleCount=25
Name=cmd.exe
ParentProcessId=2824
ProcessId=5700
ThreadCount=1
CommandLine=\??\C:\Windows\system32\conhost.exe
"2071750563-753992321122629999-774966890-123912016428143735-143075807-71004550
Description=conhost.exe
ExecutablePath=C:\Windows\system32\conhost.exe
Handle=224
HandleCount=59
Name=conhost.exe
ParentProcessId=536
ProcessId=224
ThreadCount=2
CommandLine=wmic process get
Name,Description,CommandLine,ProcessId,ParentProcessId,ExecutablePath,ThreadCount,Handle,HandleCount
/format:list
Description=WMIC.exe
ExecutablePath=C:\Windows\System32\Wbem\WMIC.exe
Handle=3100
HandleCount=152
Name=WMIC.exe
ParentProcessId=5700
ProcessId=3100
ThreadCount=6
Caption=OneNote 2010 Screen Clipper and Launcher
Command=OneNote 2010 Screen Clipper and Launcher.lnk
Location=Startup
Caption=Google Update
Command="C:\Users\kuran.narin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
Location=HKU\S-1-5-21-3765679457-586406429-463942621-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Caption=RtHDVCpl
Command=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Caption=NvCplDaemon
Command=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Caption=RunDLLEntry_THXCfg
Command=C:\Windows\system32\RunDLL32.exe
C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Caption=RunDLLEntry_EptMon
Command=C:\Windows\system32\RunDLL32.exe
C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Caption=DellStage
Command="C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe"
"C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Caption=LogMeIn GUI
Command="C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
